Separation Anxiety: AML, Privacy, Vendors & Multinationals

Last month, I had the pleasure of speaking at the 20th Annual ACAMS AML & Financial Crime Conference in Hollywood, FL.  From my understanding, it was the first time the organization had offered a panel on compliance and privacy for cross-border data flows. Our panel was well-attended, which demonstrated the industry’s growing concern about these issues. It was a great experience and I had a wonderful time with my fellow panelists.

I attended many panels in those two days as the lone academic in a sea of compliance professionals (social anthropology note: they dress better than academics, drinks are free and top-shelf, nice swag).  I had great conversations, quite a lot of fun, and the insights I gained from these interactions reinforced some of the mantras in my research.

So this intrepid academic decided to do some very informal interviewing and observations at the exhibition hall.  I walked through to see if any vendors listed privacy as a service in their displays (only 2). At the same time, I randomly asked about their experience with AML and privacy.

My opening salvo went something like this:

Do you have any technology-driven or governance-centered services that address AML and data protection for national or international banking?

“No, each of those services are client-driven.”
“We don’t have anyone at this conference who can speak about privacy.”
“It’s separate from AML.”
“Our service doesn’t handle data protection.”

At this point, there are few, if any, services able to provide the financial community with technological solutions that take into account INFOSEC, data protection, and compliance (AML and otherwise).   And, we cannot ignore the governance and policy instruments that must come with them.   I love the automated aspects of the filed but they cannot, and should not, dominate compliance.

Now I’m not blaming the vendors solely for these shortcomings.  They respond to their customers’ demands.  Everyone is focusing on AML because the fines are getting bigger and privacy is pushed to the low-risk back-burner.   (By the way, I’ve found similar problems with privacy professionals, so I’m not picking on AML.)

These conditions also reflect a separation between security and privacy in the regulations themselves (e.g. I’ll be speaking about the still unresolved problems in the 4th Money Laundering Directive and data protection in London in May).

However, privacy is catching up.

I predict that in 5 years financial institutions will find themselves scrambling to respond to data protection/privacy regulations that are already issues, or in the pipeline.  They will spend money to employ a new team of specialized consultants, which will produce redundant services that could easily be integrated into existing structures with a little ingenuity. They will do all of this not realizing that privacy is already part of their business, because their clients already expect it.

Innovation involves seeing relationships beyond your nose – and the horizon.

The “Weaponization of Finance” is more than Sanctions – It’s Data

I am always happy when I see people address the links between finance and security because it is so rare.

Last month, Daniel Drezner, of Tufts University and the Brookings Institute, wrote about the “hard limits of economic statecraft” regarding the use of sanctions against Russia’s actions in the Ukraine (interview here too).  This week, Ian Bremmer and Cliff Kupchan, of the Eurasia Group listed “The Weaponization of Finance” as a “Top Risk of 2015.”

Bremmer and Kupchan correctly assert that the US’s global financial position affords American policymakers powerful means to influence behaviors beyond its borders.  Specifically, they note access to capital markets and sanctions as “tools of coercive diplomacy.”  They cite the US influence on norms in international organizations, the dollar’s role as the premier reserve and investment currency, and the vulnerability of the private banking sector to cyber-attack as further evidence of its power resources.

Sanctions deserve a place in the statecraft toolbox, but as Business Insider’s @elenaholodny summarized, it is difficult to employ successfully (See also David Baldwin’s classic Economic Statecraft, Meghan O’Sullivan Shrewd Sanctions, Cortright and Lopez Smart Sanctions, and Drezner’s own Sanctions Paradox).

Restricting the use of finance to sanctions limits its value to foreign affairs. The technological revolution in banking, which has ditigialized the industry, finance’s multinational presence, and the increase in recordkeeping and reporting requirements after 9/11 and the 2008 crisis, has provided policymakers with an opportunity to harness financial data to map behaviors, networks of violence, and illicit economies across borders.

The Eurasia Group hints to this, “The United States is expanding its ability to track the financial transactions [my emphasis] of government leaders of concern, as well as their state and private sector allies, in order to close their access to capital and property.”

But governments use financial data for more than sanctions. They do it to detect weaknesses in the system and to track networks of illicit crime and political violence.

Thus, financial data’s ability to help map networks of behavior when combined with other types of information mean that finance’s role in foreign policy extends well beyond economics.

That is, of course, if government agencies can acquire that data – legally or otherwise.

I argue (briefly explained here and here) that financial data intelligence is one example of a new type of statecraft suited to the digital age; Information Statecraft – the attempt to influence through the acquisition, control, or presentation of data, information, or knowledge.

However, financial data isn’t solely held by governments; it’s held by private financial institutions, which presents numerous challenges to using financial data for sanctions or other policies.  Bremmer and Kupchan also allude to this point – “the weaponization of finance is a tool that can be use with minimal cooperation from other governments.”  While it oversimplifies the relationships involved, it does highlight the importance of private sector compliance.

Financial institutions have always treasured data for their own purposes, but now states are demanding they record, maintain, and report more of it to authorities (e.g. FATF recommendations for Politically Exposed Persons, Beneficial Ownership, Know Your Customer rules, Suspicious Action/Activity Reports, among others). For decades, and more so after 9/11, governments expect bankers to be AML/CTF sentinels, which is very far from their primary business, to make money.

The weaponization of finance is real, and has been evolving for a while.  We need to expand our views of statecraft to accommodate the new realities of the digital world, and this is especially true of the relationship between finance and foreign policy.

Finance, Secure Systems, Regulatory Compliance, and Data Protection are Not the Same

I’ve been reading a lot about privacy and financial data (including studying for the CIPP/US and EU exams) since returning from Europe for a new book I’m writing about the politics and practice of financial data in transatlantic counter-terrorism cooperation, which I will write about in future posts.

Most people do not think about money and data surveillance. It’s more common to talk about how governments monitor our emails, phone calls, Facebook entries, or mobile data because they are communications technologies in their unambiguous forms, but we don’t put much thought into what makes money tick.  The reality is that money is data and we have to view it as more than an instrument of wealth. 

Financial data is money, and it reveals behaviors.

Banks run entirely on information technologies for everything they do no matter what type of transaction or industry, and they are keen to use that data (or Big Data) as a commodity onto itself to sell you things, create market strategies, and to get ahead of their competition.  If a bank’s IT systems are down for 48 hours, that bank is gone, gone, gone.

And the dawn of a digital currency is not new either (e.g. Bitcoin). The anchor of the international monetary system, Special Drawing Rights (SDRs or XDRs, its formal currency code), were created by the G10 governments in the 1960s and have never existed except in digital form.

It’s time to focus on how money is data because financial institutions and governments certainly do so, since our spending habits reveal our behaviors and intentions.  As the old saying goes – “put your money where your mouth is.”  We tend to invest when we believe in things or people, and not much happens without at least a little money changing hands.

Which brings me to financial data protection and privacy.

The common refrain I heard from regulators and those in the financial services was that “finance is already heavily regulated so privacy isn’t much of an issue.” This is false logic.  Assuring client data confidentiality, compliance with record-keeping and accountancy guidelines, or ensuring sound security protocols does not automatically guarantee data privacy.  It’s a mistake to assume that because banks make sure that their data systems are not hackable, or that they are regulatory compliant, that the privacy of client data naturally follows.

My own bank failed to do this, and I offer this narrative as a small example of the disconnect among these concepts.   My visa application to Belgium required a bank letter stating that my accounts were in good standing.  I was not required to provide amounts, but in the end the bank gave me no choice but to disclose this information to 3rd parties.  I received a letter from corporate (after I tried to obtain the letter at the local branch I was told that they did not have that information – so you can decide to give me a loan, but this is too much?) with all the amounts of my accounts incuded.

The legal disclaimer was priceless:

 “Our response is commensurate with the purpose and amount of your inquiry. The information provided is strictly confidential and intended for use solely by the requesting party and in reliance on your statement of intended purpose or use.”

No, the letter was not generated to the “purpose and amount” of my inquiry, and it certainly exceed my intended purpose and use.  I specifically asked for no amounts to be listed in the letter.  The customer service representative said that it was a form letter, they could not alter it, and it “was generated by our lawyers.”

  “The information is furnished as a matter of courtesy without a duty to do so and without responsibility, liability or warranty, express or implied, on the part of ________________ to you to any third party. Information is obtained from electronic data sources, which may not contain all information in _____________ possession’ information is not guaranteed to be accurate and may be a matter of opinion. We do not accept any responsibility for errors, omissions or alterations after delivery. The information is constantly changing and therefore subject to change without notice.  _______________ will not update this response unless another written inquiry is received. This information applies to the name of the subject of the inquiry as styled in your request and does not include any indirect or related accounts or obligations, unless expressly specified in our response. _______________ encourages you to contact more than one credit reference prior to making any credit decision. If you received this response by FAX and you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of the information contained in this message is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the message to us by mail.”

I could comment about a lot of this, but the last part is precious.  So if you send this to someone by mistake, just let us know.  No damage done.

I hope that my bank’s data systems are secure.  I hope they comply with regulations.  But I also know that US law gives me little control of how my data is handled, and corporate procedures imbue precious little concern about my financial privacy into their practices. So my financial data, my financial behavioral data, gets compromised more than I’d like to believe.

Companies, and the law, need to stop thinking of privacy, security, and compliance as mutually inclusive.  They do overlap, but one does not necessarily represent another, and these systems and safeguards need to be developed in tandem.

p.s. I did write to complain and I received a mundane corporate response claiming that they could not do anything about it. They did thank me for bringing it “to their attention” which is corporate speak for telling me to fly off a building.